firstly, fire up your SoftIce, and set the break point on GetWindowTextA,
go back into the SnagIt's register dialogbox,fill in some information at will,
then click the 'ok' button,SoftIce'll pop up as it hook at the api we set
just now. out of the api by pushing F10 about times. you can easyly find the
address ( offset: 47b01a ), here is the snippet of code over the offset: 47b01a

we'll be warned with the nag and kicked off from the code, if bl got
0 from above call. and that call is most important call for calculate
the real RegCode and use it to compare with our fake key. so you should
know how to do with your brute forcing way. whereas out purpose was to
find out the scheme that the SnagIt use to generate the real RegCode and
got one of certified informations by ourself. so go on. we're more and
more closer with our final goal from now on.
go into the most important call at address 4795a7 that mentioned above.
and you'll get a little confusion about the code below, and do not be
worry about that. i'll nevigate you throughout it.

all of above code do some initializations and the call nearby are checking
if the entered key is illegal by counting the number of the every chars of the
key except for the non-hexadecimal number( legal char is between 0~F ). and
compare the result with 0Eh, game over if they are not equal. so do remember
the legal RegCode is composed with the hexadecimal number.

here move the h_num to diand compare it with 041h, if it shy, then
game over. add it with 0ffbf and check the al with 050h, that use to
switch the program from two flows. if the addition result less than 050h
it will involve the userName procedure, else it's simply to cope with.
i forgot commenting some code above, heihei, but it just the simple MD5
HASH digest for the userName. the whole routine mainly use the MD5 HASH
function two times to produce an 128 bit value, finaly picking up bytes
from the result and using it to look up the hex-table to yield the real
RegCode.i assume its name string3. the string1 is yielded by firstly MD5
HASH with the userName. string2 is made up with the string1 and last 6
number of the fake key, use the string2 to do the second MD5 HASH function
to yield the string3. later on i'll explain it in details.

above call is calculating the MD5 HASH digest of the uppercase of the
input userName and get first two bytes of the digest and store it to a
memory locations for the later processing. this generate the string1.
the first two bytes.

through out a long way we come here. the call above is the first step
to
construct the string2. by default, the string2 is initialized with '01 00'
as the first two bytes. this call fetch another two bytes in the memory loc
which store the string1 ordword zero before by the checking of h_num. cat
it to string2 follow the '01 00', now it is look like '01 00 xx xx' which
xx xx is denoted string1.

this piece of code take the last two chars and convert them to hexadecimal
format, and combine them to a byte. afterward,storing the result as a word into
the string2 series. now the string2 is look like '01 00 xx xx xl 00' which
xl denote to the hex-format of the last two bytes of the fake key.

the fronter functions of the above two calls is use to do the same work
'convert' and 'combine' with the reciprocal 3~6 chars. and the second call
stores the result two bytes into the string2. and here finish constructing
the string2. now it looks like this:

char *string = "01 00 xx xx xl 00 ab cd"; which ab and cd denote to the
result yield by the above two calls.

this paragraph is the core checking code, cl contained the first 8 fake
key that we entered before. and it picked out bytes from the string3 by each
iteration step 2,that's mean it selected the odd number chars of string3. 1,
3, 5, 7, 9 till 15. and move the byte just picked to the dl. anddl with 0fh,
looking up the hex table to yield the real RegCode. finally compary every yielded
RegCode with cl about 8 times, if any of check was not match then game over.
so here we can get the first 8 bytes of the real RegCode. and combine it with
the last 6 byte of the fake key which wo base on to calculate the first part
of
the RegCode,we conclude our Regcode now!

below snippet is the outer range of the main routine related to the upper
code before the core checking routine... why i mention this? the SnagIt! has
a version check by checking the value of the last byte of the reg code, as the
above slim operations.

xordi,
dimovdi,
last_byte adddi,
0ffbfh cmpdi,
050h ja @good
adddi,
0ch ja @good
call MessageBoxA,
...offset " your register key are \ out of time".
so do remeber that , never let the last number yielded from the convert
and combine
operation with the entered last two chars less than 85d.
.
.
.

that all over the work. cause of my poor english, i just can do this
essay
like this. i've try my best. so i beg your pardon for any errors and uncompat
-
ibilities among this essay.
at the same time, despite some of the errors and shortages, i hope you
would
learn somethings from it!

my greeting fly to all of the guys of the kanxue forum. and all the crackers
in china!